CryptoLocker evolves with new monetization schemes

CryptoLocker, an aggressive piece of ransomware that utilizes encryption, has caught the attention of the United States Computer Emergency Readiness Team and Britain’s National Crime Agency, both of which issued alerts about the risks that it creates to Windows users. Although it infects PCs via standard channels such as spam email and is simlar to many other fake antivirus and ransomware attack, its distinctive use of strong encryption and a countdown timer makes it unusual and worthy of more caution.

As if they had not already gone far enough, CryptoLocker’s creators also recently shifted their monetization tactics, giving willing users additional time to pay the ransom with bitcoin or MoneyPak. Previously, victims had a hard deadline – 72 hours after infection – to pay up, after which the encryption key for their data was destroyed.

The change in tactics underscores the real risk that CryptoLocker poses to individuals and enterprises. Everyone must be extra diligent about safely handling email, installing software updates and setting well-defined usage policies. Going forward, cybersecurity professionals will also need to continue focusing on CryptoLocker detection solutions and encouraging users to make regular backups.

Why CryptoLocker is so noteworthy
CryptoLocker is a unique challenge for cybersecurity professionals because it combines sophisticated social engineering tactics with encryption technology and a countdown timer, the later of which significantly ups the scare factor and may increase the payment rate. It is spread through seemingly legitimate emails, with subject lines that may suggest that they are from disgruntled customers in need of technical support. US-CERT stated that CryptoLocker emails sometimes purport to be UPS or FedEx tracking notices, while the NCA revealed that they may also resemble notices from financial institutions.

Furthemore, Trend Micro’s research has indicated that CryptoLocker may have connections to other malware such as ZeuS/ZBOT, and that arrest of the creator of the Blackhole Exploit Kit may be tied to the recent pattern of CryptoLocker infections. Many users are now falling for the scheme by clicking on an email attachment, after which CryptoLocker changes a registry value and attempts to contact a command-and-control server. It initially used a hardcoded domain, but has since taken to a random domain generator algorithm that scrapes the current system time and redirects to one of seven top-level domains.

The malware file receives a public encryption key from the server via HTTP POST requests. The transaction is protected with RSA encryption that helps CryptoLocker evade detection from cybersecurity researchers that may be trying to set a trap.

After the communications lane has been established, CryptoLocker goes to work scrambling the contents of the PC’s internal storage, as well as any attached network drives. It requests a unique RSA public key and then looks for any file with an extension contained in its preconstructed list. Examples include widely used formats such as .docx, .rtf and .raw.

Each file is scrambled with a 256-bit AES key, which is then encrypted with the RSA key. The ransomware writes the changes to the original file and logs all actions to the altered registry entry.

CryptoLocker then starts a 72-hour timer and will destroy the key unless the victim buy a decryption kit from the perpetrators for $300. As cybersecurity researcher Brian Krebs has pointed out, removing CryptoLocker means that the user may have trouble recovering the lost assets outside of redownloading CryptoLocker to start the process all over again. The latest versions of CryptoLocker actually include a URL that lets users redownload the malware in case it was deleted.

However, users can protect themselves in several ways. For example, security products can block the URLs from which CryptoLocker requests the public key. On a less technical level, users can keep a eye out for any email attachments that they were not expecting, keeping software up-to-date and creating backups.

CryptoLocker creators have upped the ante, asking for higher ransoms
These precautions will be crucial in light of how CryptoLocker has evolved to make better use of its distinctive countdown timer system and monetization structure. CryptoLocker does not accept credit card payments, likely to avoid chargeback and disputes. Instead, users must pay using popular cryptocurrency bitcoin or the stored-value MoneyPak card from Green Dot Corporation.

Users have been understandably confused about the unusual payment terms, with many likely having lost access to files solely due to lack of familiarity with bitcoin and MoneyPak. However, CryptoLocker’s creators have seized the opportunity and loosened the 72-hour limit to give users more time to get up to speed on how to pay.

“They realized they’ve been leaving money on the table,” BleepingComputer.com’s Lawrence Abrams told Krebs. “They decided there’s little sense in not accepting the ransom money a week later if the victim is still willing to pay to get their files back.”

Most users have paid the ransom with MoneyPak, since many found the bitcoin mining process too time-consuming and byzantine. CryptoLocker’s creators have upped the ante even more by introducing the CryptoLocker Decryption Service, a “customer service” portal from which users can upload encrypted assets and purchase corresponding keys.

What can users do to protect themselves from CryptoLocker?
Ultimately, paying for file decryption only encourages CryptoLocker and copycat schemes. It’s difficult to know exactly how many users have actually acquiesced to CryptoLocker’s demands, due to the anonymous nature of bitcoin.

“The way these people tend to work is that if you’re silly enough to pay them anything, they’ll ask for double,” Damballa Security consultant Adrian Culley told ITProPortal. “Paying the ransom won’t get your data back; the way to get it back is to have a secure backup copy.”

Making regular backups is one of the most effective ways to lessen the impact of CryptoLocker. There are also detection and prevention tools that can block malicious domains and modify group policies. However, organizations and individuals will also have to follow best practices for handling email and updating software. Beating CryptoLocker requires a combination of technical and practical measures.

Ultimately, CryptoLocker is mostly notable because of it use of strong encryption, a countdown timer and a complex monetization scheme. However, the cybersecurity community can keep users safe by continuing to work on preventative and educational solutions that mitigate the risk of CryptoLocker infection.